Data protection among children and young adults

  • Awareness
  • 30/03/2016
  • Hungarian Safer Internet Centre

In this article, Dr. Kisfaludi Gábor shares some methods to measure how students aged 8 and 20 consider, classify and protect their data, what factors affect them and what adults can do to strengthen their awareness.

Being a Certified Information Systems Auditor for 15 years, as well as a father of school children aged between 8 and17 years, I've been delivering 45-minute interactive lectures for students of similar ages for the last four years. During this time, I've met about 3,000 boys and girls and about 300 parents and teachers in various types of schools, from the summer camp of the elementary school to 19-20-year-old adults just before the maturity exam, in small towns all over the country and in the capital.
What data has this segment got which needs protecting?
Obviously, the data they have includes their own personal information, such as data for natural identification, digital identification, health status, accessibility, availability, financial and business information. However, they can also be knowledgeable about personal data belonging to others through sharing.
Since I had no opportunity to check their technical abilities (these have been controlled by their teachers in informatics classes in any case), I focused on the well-known PEBCAK. PEBCAK is an acronym, standing
for Problem Exists Between Chair And Keyboard – it's technical slang, meaning that that the root of the problem is human behaviour/negligence/lack of knowledge. As all those in the IT security business know well, this is always the weakest point in the system.
In doing such an analysis, I chose a risk-based approach, i.e. what types of information should be protected in this segment, how big could the damage be, what's the probability of the occurrence of such damage and what type of control(s) could be installed to diminish the overall damage.
Sampling is a widely-accepted method in audit, so I used experiments to examine the situation.
Experiment #1 - Perceived values of different data, privacy vs authority
Setup: I'm lecturing in school, showing power and authority over the students using either my voice or by commanding them.
Exercise: I ask the pupils who has an ID card with them now.
 I choose one of those who indicate that they have it available to bring it to me, and borrow it for a second or two. There's been no one so far who has simply denied to do so.
Then I ask for something like a credit card to see if anyone has one to hand. Sometimes the answer is "Yes". Then I ask whether he or she would be willing to share it with me.
 This time, the student is more suspicious and is not so certain that they should provide it voluntarily. But, sometimes the students do hand it over while asking what I intend to do with the card.
Then I ask the student whether they would be willing to share the PIN code with me. At that point, almost all of the students realise that they shouldn't share this with a stranger.
Analysis: We have a class discussion once all belongings have been returned to the owners. My question is: why had the students given me ANY of their documents?
The answers from the students included:
  • You're a teacher and we ought to provide you with this information.
  • It's not a big deal to show you an ID Card. There's nothing you could do with this!
  • I have no balance on my credit card.
My next question was: did you consider saying no at any time during this process?
Point 1: The exercise shows that perceptions of the value of the different data are vastly different. Privacy is much undervalued as compared to any money that is readily available.
Point 2: Perceived power learnt during education is imprinted so much that it suppresses the perceived risk.
Point 3: (Any)one can be put in situations where his or her perception misleads them. This is pretty obvious for students in a classroom: just because I was standing in front of the class, they perceived me to be a teacher even if no one had ever told them so.
Experiment #2: Value of personal information under different circumstances 
Setup: This time I'm the nice guy. I give them paper clippings with a promotional offer from a local newspaper.
Exercise: Here is the offer: you get a free scoop of ice cream of your choice by filling out the form voluntarily with a couple of pieces of data ranging from name, age, gender, date of birth, phone number, email address, shoe
size, preference of ice cream, perfume brands, etc.
 The form also asks for the permission of data handling and refers to the regulation of privacy and data protection of the ice cream company.
One scoop of ice cream costs about 200,- Ft (0,60 EUR) that can be obtained at the local ice cream booth in exchange for this little piece of paper being filled in and signed.
My question is this:
  • Would you like a FREE scoop of ice cream?
And later:
  • Was this ice cream really free?
  • Have you given nothing or something?
  • Wasn't it rather a business of exchange?
  • How much does it cost you to provide them with the data?
  • How much does it cost them to get your data?
  • How long does it take you to eat one scoop of ice cream?
  • How long can they use your data for?
  • Have you asked for and read the regulation of privacy and data handling of this company that you just accepted?
  • Can you delete the data? If yes, how?
  • What can you do if your data is shared with a third party?
  • Is it always a bad choice to share personal information with others?
Analysis: This segment is easily bribed with very cheap gifts even if they do have the money for the items they want. When in a purchasing situation, young people tend to focus on having the item as soon as possible, regardless of consequences. When they realise that they actually sold their own data, they either consider it to be a fair price or they start worrying.
I then showed them a short video demonstrating that sharing of personal data can cause direct financial damage.
In conclusion, when the students realised that they do not know whether they can withdraw their permission (and, if yes, how), and whether it can be shared to a third party, the vast majority declare that it should be forbidden to share any data with anyone.
In the session, we agreed that we must always share data with others but there must be procedures that identifies who is asking for such information, and for what purpose.
In conclusion, I feel that the students I have encountered mostly lack:
  • information;
  • knowledge;
  • real life experience;
  • interest – they do not understand the concept and the importance of data protection, along with the perception of the power of retreat in case things go wrong;
  • power/respect to some adults or to certain situations – this makes them even more vulnerable to social engineering attacks than older people who are generally more suspicious.
The good news is that this generation is keen on and able to share information among themselves, sothere's a better chance of them developing good practices.
However as knowledgeable adults and parents, the ultimate responsibility remains with us. That can only be done by knowing what our kids are doing (detective control) and by being able to show them how to take control (teaching by example as a preventive measure) while supporting them in case things go wrong (corrective control).
© Dr. Kisfaludi Gábor, 2016
by Gábor Kisfaludi, PhD, MBA. CISA (Folyondár u. 68. Érd, H-2030, LinkedIn:
Read more about the Hungarian Safer Internet Centre.

Related news

The effects of media on children and youth – declaration from the 9th International Media Conference

  • Awareness
  • 12/01/2018
  • Hungarian Safer Internet Centre

The 9th International Media Conference took place in Hungary from 27-29 September 2017, focusing on the effects of media on children and youth. Here follows a short report from the event, which resulted in speakers and participants adopting a joint declaration on their goals for the future of the internet.


Safer Internet Day celebrations in Hungary

  • Awareness
  • 28/02/2017
  • Hungarian Safer Internet Centre

Safer Internet Day (SID) was celebrated on 7 February 2017 right across the globe. With a theme of "Be the change: Unite for a better internet", the day called upon all stakeholders to join together to make the internet a safer and better place for all, and especially for children and young people. Here we hear from our Hungarian Safer Internet Centre (SIC) on how they marked the day.

International conference: The impact of the internet on children and youngsters

  • News
  • 13/10/2016
  • BIK team

The Hungarian Safer Internet Centre (SIC) is organising the fourth edition of the annual international conference ‘The impact of the internet on children and young people' taking place in Budapest, Hungary, on 19 October 2016.

Helping schools with data protection compliance

  • Awareness
  • 30/03/2016
  • UK Safer Internet Centre
For many years, schools have been required to be compliant with data protection laws. Many of us that work with schools are all too aware of the difficulties they face in achieving compliance. Here at the South West Grid for Learning and the UK Safer Internet Centre (SIC), we know that schools work to achieve compliance through a variety of means. Some rely on local authority staff, or the Information Commissioners' Office for support, advice and training. What is clear is that practice remains inconsistent and that data breaches are occurring.

Is it true that the data we post online remains on the web forever?

  • Awareness
  • 30/03/2016
  • Greek Safer Internet Centre

This question was posed several times by pupils of secondary education during a series of webinars that the Greek Awareness Centre implemented across the country from December 2015 until March 2016, in collaboration with the Computer Technology Institute & Press ‘Diophantus', and with the aim of raising awareness on the importance of our (data) privacy.

Debating data protection with Danish adolescents

  • Awareness
  • 30/03/2016
  • Danish Safer Internet Centre

Your digital footprints often seem to be invisible, but what are you really agreeing to when confirming ‘Terms & Conditions' in an app? With the newly proposed General Data Protection Regulation (GDPR), it is as relevant as ever to put the spotlight on the data protection and the digital identity of youth.

Data protection: How to protect one's privacy on Instagram and Snapchat... with step-by-step privacy guidelines

  • Awareness
  • 30/03/2016
  • Austrian Safer Internet Centre

Pictures, videos and emojis are becoming increasingly important for online communication – especially with children and young people. Two of their favourite apps for sending photos are Instagram and Snapchat.